Bug 2163037 (CVE-2022-3064)
Summary: | CVE-2022-3064 go-yaml: Improve heuristics preventing CPU/memory abuse by parsing malicious or large YAML documents | ||
---|---|---|---|
Product: | [Other] Security Response | Reporter: | Avinash Hanwate <ahanwate> |
Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
Status: | CLOSED ERRATA | QA Contact: | |
Severity: | high | Docs Contact: | |
Priority: | high | ||
Version: | unspecified | CC: | aazores, abenaiss, abishop, adudiak, alitke, amackenz, amasferr, amctagga, ansmith, aoconnor, bbaude, bbuckingham, bcl, bcoca, bcourt, bdettelb, bkundu, bniver, btotty, chazlett, cmarinea, cwelton, davidn, dcadzow, debarshir, desktop-qa-list, dfreiber, dwalsh, dymurray, eaguilar, ebaron, eglynn, ehelms, ellin, epacific, fdeutsch, fjansen, flucifre, gmeno, gparvin, grafana-maint, hhorak, ibolton, jaharrin, jburrell, jcammara, jcantril, jchui, jeder, jhardy, jjoyce, jkang, jkurik, jligon, jmatthew, jmontleo, jneedle, jnovy, jobarker, jorton, jpallich, jshaughn, jsherril, jwendell, jwon, kshier, lball, lgamliel, lhh, lmadsen, lsm5, lzap, mabashia, matzew, mbenjamin, mboddu, mburns, mcressma, mfilanov, mgarciac, mhackett, mheon, mhulan, mkudlej, mokumar, mrunge, muagarwa, mwringe, nalin, nathans, nboldt, njean, nmoumoul, nobody, ocs-bugs, orabin, oramraz, osapryki, osbuilders, oskutka, owatkins, pahickey, pakotvan, pcreech, pehunt, periklis, phoracek, pjindal, pknezevi, pthomas, rcernich, rchan, rfreiman, rgarg, rhcos-sst, rhos-maint, rhuss, rogbas, rrajasek, saroy, scorneli, scox, sfroberg, sgott, shbose, simaishi, slucidi, smcdonal, smullick, sostapov, spower, sseago, stcannon, stirabos, teagle, tfister, thrcka, tjochec, tnielsen, tsweeney, twalsh, ubhargav, umohnani, vereddy, vkumar, whayutin, yguenane, zsadeh |
Target Milestone: | --- | Keywords: | Security |
Target Release: | --- | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | gopkg.in/yaml.v2 2.2.4 | Doc Type: | If docs needed, set a value |
Doc Text: |
A flaw was found in go-yaml. This issue causes the consumption of excessive amounts of CPU or memory when attempting to parse a large or maliciously crafted YAML document.
|
Story Points: | --- |
Clone Of: | Environment: | ||
Last Closed: | 2023-03-15 23:32:29 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: | |||
Bug Depends On: | 2163540, 2163541, 2163542, 2163553, 2163539, 2163543, 2163544, 2163545, 2163546, 2163547, 2163548, 2163549, 2163550, 2163551, 2163552, 2163555, 2163556, 2163557, 2163558, 2163560, 2164213, 2164540, 2164979, 2164980, 2164981, 2164982, 2164983, 2164984, 2165601, 2165602 | ||
Bug Blocks: | 2156736 |
Description
Avinash Hanwate
2023-01-23 04:54:14 UTC
Created caddy tracking bugs for this issue: Affects: epel-all [bug 2163539] Created etcd tracking bugs for this issue: Affects: openstack-rdo [bug 2163553] Created exercism tracking bugs for this issue: Affects: fedora-all [bug 2163543] Created gmailctl tracking bugs for this issue: Affects: fedora-all [bug 2163544] Created golang-github-francoispqt-gojay tracking bugs for this issue: Affects: fedora-all [bug 2163545] Created golang-github-grpc-ecosystem-gateway tracking bugs for this issue: Affects: fedora-all [bug 2163546] Created golang-github-instrumenta-kubeval tracking bugs for this issue: Affects: fedora-all [bug 2163547] Created golang-gopkg-yaml tracking bugs for this issue: Affects: epel-all [bug 2163540] Created golie tracking bugs for this issue: Affects: epel-all [bug 2163541] Created kompose tracking bugs for this issue: Affects: epel-all [bug 2163542] Affects: fedora-all [bug 2163548] Created manifest-tool tracking bugs for this issue: Affects: fedora-all [bug 2163549] Created moby-engine tracking bugs for this issue: Affects: fedora-all [bug 2163550] Created origin tracking bugs for this issue: Affects: fedora-all [bug 2163551] Created yggdrasil tracking bugs for this issue: Affects: fedora-all [bug 2163552] Created caddy tracking bugs for this issue: Affects: epel-all [bug 2164213] This issue has been addressed in the following products: Red Hat OpenShift Container Platform 4.10 Via RHSA-2023:0698 https://access.redhat.com/errata/RHSA-2023:0698 This issue has been addressed in the following products: Red Hat OpenShift GitOps 1.6 Via RHSA-2023:0802 https://access.redhat.com/errata/RHSA-2023:0802 This issue has been addressed in the following products: Red Hat OpenShift GitOps 1.7 Via RHSA-2023:0803 https://access.redhat.com/errata/RHSA-2023:0803 This issue has been addressed in the following products: Red Hat OpenShift GitOps 1.5 Via RHSA-2023:0804 https://access.redhat.com/errata/RHSA-2023:0804 This issue has been addressed in the following products: Red Hat OpenShift Container Platform 4.9 Via RHSA-2023:0778 https://access.redhat.com/errata/RHSA-2023:0778 This issue has been addressed in the following products: Red Hat OpenStack Platform 17.0 Via RHSA-2023:1014 https://access.redhat.com/errata/RHSA-2023:1014 This issue has been addressed in the following products: Red Hat OpenShift Container Platform 4.10 Via RHSA-2023:0899 https://access.redhat.com/errata/RHSA-2023:0899 This issue has been addressed in the following products: Red Hat OpenStack Platform 16.1 Red Hat OpenStack Platform 16.2 Via RHSA-2023:1275 https://access.redhat.com/errata/RHSA-2023:1275 This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2022-3064 This issue has been addressed in the following products: Red Hat OpenShift Container Platform 4.12 Via RHSA-2023:2111 https://access.redhat.com/errata/RHSA-2023:2111 This issue has been addressed in the following products: Red Hat OpenShift Container Platform 4.11 Via RHSA-2023:2695 https://access.redhat.com/errata/RHSA-2023:2695 This issue has been addressed in the following products: Red Hat OpenShift Container Platform 4.10 Via RHSA-2023:3218 https://access.redhat.com/errata/RHSA-2023:3218 This issue has been addressed in the following products: Red Hat OpenShift Container Platform 4.14 Via RHSA-2023:5006 https://access.redhat.com/errata/RHSA-2023:5006 This issue has been addressed in the following products: Red Hat Enterprise Linux 9 Via RHSA-2023:6346 https://access.redhat.com/errata/RHSA-2023:6346 This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2023:6938 https://access.redhat.com/errata/RHSA-2023:6938 This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2023:6939 https://access.redhat.com/errata/RHSA-2023:6939 This issue has been addressed in the following products: Red Hat OpenShift Container Platform 4.13 Via RHSA-2024:0741 https://access.redhat.com/errata/RHSA-2024:0741 |